Tuesday, August 31, 2010

What A Card Skimmer Looks Like On An ATM

My card was recently compromised by using either the ATM or MTA Metrocard Machine. When thinking back the MTA's machine did seem to not swipe my card correctly the first time. I'm thinking this is where it happened at Grand Central Station off 42nd Street enroute to the shuttle to Times Square.

A lot of you have been asking to see what a skimmer looks like before it's yanked off an ATM. Are they easy to spot or virtually unnoticeable? Our reader Timeus works for a bank and deals with this sort of thing every day, and he sent in the following photos. Enjoy.


He writes,

Now, let me explain some of the pictures. The scary thing when it comes to skimming device problems is that, the skimming device itself is only half the battle, per se. Take the following example.

See that gray rectangular box? That box was attached to the lighting above the ATM screen. If you look closely, you see a small pinhole in that box? There is a camera in that box, aimed right down at the ATM keypad where people enter their pin codes. Here's this device pulled off, sitting on the ground upside down, to show you the camera, with its Sony Lithium-Ion battery powering it.

[Editor's note: another reader, Will Z, sent us a link to a tiny battery-powered video camera he found through a simple Google product search. It looks strikingly familiar.]

Also included are pictures of the skimmer on the ATM, as some members of the site had asked to see, as well as the skimmer when it was removed.

The strange thing that gives this away to me as a skimming device is that the skimmer itself appears to be a part of what we call a Dip-Reader. A Dip Reader is where you slide your card in and out, like on the card reader you see in this picture of a Shell Gas Station card reader:


The other type of Card reader we use is what we call a motorized reader, where you slide your card in, and the machine takes the complete card, and then ejects it when you're done with your transactions. From the pics of this location, they stuck the housing for a dip-reader onto an ATM that has a motorized reader. That's a huge red flag to me, had I been someone who walked up to use this ATM before the reader was found.

Timeus also points out that even though the standard customer service rep may have no idea how to respond to your call if you try to report a suspected tampering, the bank's ATM security people will definitely want to know. He left a lot of good information in the comments to this post, so we've collected it together below for easier access.

I won't lie, skimming devices are still uncommon to come across. I can't tell you how many times we've spoken to a technician who says, "Well what do you know? I've heard of these things but this is the first time I ever saw one, what do you want me to do with it?" Not to scare anyone, but I've spoken to more than one police officer who has said, "Ok, what do you want us to do with it?"

The bank has to tell these people what to do with them, a lot of the time. Some PD will hold the device as evidence while our investigations unit tries to build a case and find out who was responsible, some PD simply destroy it, it seems to vary frm one police department to the next.

[...]

If we get notified, we can begin notifying all potentially affected customers and begin the process of safeguarding their accounts. If we don't get notified, potentially hundreds, maybe thousands of accounts are at risk for fraud depending on how busy a particular ATM is.

[...]

We have procedures for situations where an ATM skimming device is found. There's almost always a number on the ATM to call in the case of any emergency, that goes directly to our Corporate Security Department. They will contact us, unless a customer gets to my department first via Customer Service. We would immediately shutdown the ATM, dispatch a Second level technician to the site to evaluate the situation, remove the device, and send out a Privacy Event Notification to our investigations department as well as dispatch the police to meet our vendor tech on-site. We would also pull all ATM logs and submit that information with the Privacy Event Notification to notify all customers who were potentially effected.

In the future, if you ever come across a skimming device on an ATM, if you have the time, I know we appreciate a call to be notified. Trust me when I say, when a device is found, "alarm and whistles" go off in my department, upper management is notified and everyone gets involved.

In other words, if you end up talking to a standard CSR who doesn't get what the big deal is, try to find a way to reach the bank's security or fraud department instead.

No comments:

Post a Comment